I have used ASP.NET for quite some time. I have probably always been lucky that the infrastructure or deployment person always enabled aspx on IIS for me. I use a Windows XP with IIS 5 sometimes or Vista with IIS 7. They do serve aspx pages by default, on XP once the .NET framework is downloaded and installed, there is nothing else to tweak.

On Friday afternoon, I had to deploy to an IIS 6 box on windows 2003, to my surprise, it didn’t serve any of the aspx pages. Even a small Hello World project on an simple label. I missed the happy hour with my colleagues and went home completely puzzle. Why? ASP.NET was already available when Windows 2003 saw the light. To my surprise there was nothing on the event log.

The answer came a few hours later and after few Google queries:

IIS 6.0: ASP.NET Is Not Automatically Installed on Windows Server 2003

1. Open IIS Manager, expand the master server node (that is, the Servername node), and then select the Web service extensions node.
2. In the right pane of IIS Manager, right-click the extension that you want to enable. In this example, this is Active Server Pages.
3. Click to select the Allow check box.
Add a New Web Service Extension to IIS 6.0

To permit IIS to serve content that requires a specific ISAPI or CGI extension that is not already listed in the Web service extensions list, follow these steps:
1.Open IIS Manager, expand the master server node, and then select the Web service extensions node.
2.In the right pane of the IIS Manager, click Add a new Web service extension under Tasks.
3.In the Extension name box, type a friendly name for the extension that you want to add (for example, FrontPage Server Extensions).
4.In the Required files box, click Add, and then select the path and the name of the file that will handle requests for the specific extension. After you select the path and the file name, click OK.
5. If the extension must be enabled immediately, click to select the Set extension status to allowed check box.
6. Click OK to save your changes.

Hopefully Mono will run seamless  on Apache one of these days…

No tags

Last Friday we had an issue in production: we have a very simple web application with one single page on our intranet that consumes an array of web services. These web services talk to a back end SQL Server.

All in all this is a very typical scenario and like most companies with .NET technology we have web applications using ASP.Delegation in the intranet, the only particular point regarding this web page is that it is called inside an old legacy windows application (not a .NET app). For remote users, this old legacy application is used via Terminal Services.

For our remote users also, the application didn’t work and our DBA was registering a bunch of anonymous requests coming from the web server box…

On the other hand we set up our web services tracing to debug and were able to see the end user credentials on each HTTP request, so the end user had managed to authenticate using Integrated Windows Security on our web box and the web service trying to open a SQL connection to the back end.

We used impersonation and Integrated Windows Authentication on our web application and web services (this is an intranet after all). ASP.NET impersonation gave us the chance to restrict the access on the back end based on AD groups and at the same time gave us the ability to audit the user’s actions to a very fine grained degree (user name).

The PROBLEM with our Windows XP Pro desktop users

The application worked for our desktop users if and only if they had logged off and on their desktops in the past 48 hours. If the desktops users hadn’t logged on for a while, like me, that I lock my computer instead of logging myself off, the application didn’t work either and the sql box passed an anonymous login attempt back to our web tier. The web services then passed a SOAP Exception with the NT Service/Anounymous user error message to our web app…

System.Web.Services.Protocols.SoapException: Server was unable to process request. —> System.Data.SqlClient.SqlException: Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’.

At first we thought it was the same problem, but it turns out the TS users couldn’t use the application even when they logged of and back on, not even when the TS server was restarted, hrm….

By dividing and conquering we applied the kerbtray.exe tool on our web server and one of the desktops and enabled Kerberos logging on both boxes. We noticed that when the application worked the user logged in the web server box used Kerberos, but after a few days the logging defaulted to NTML.

SOLUTION for the Windows XP Pro Desktops

It turns out this was a bug in the kerberos.dll running on Windows XP SP2, SP3 has this problem solved. More information can be found on this MSDN thread. Also the hotfix for Windows XP Professional SP2 can be found on this Microsoft Knowledge Base article. Although this article describes a different problem the hotfix provided here contains the fixed kerberos dll.

There are quite a bit of articles regarding ASP.NET delegation

And quite a few MSDN forum threads, like this one I initiated and has a heated discussion with the moderator, my fault most of it.

The best resources I have found so far, and I hope this digested summary will help you if you have the same double/triple hop issue, are:

Ken Schaefer’s blog post regarding IIS and Kerberos Part 5 – Protocol Transition, Constrained Delegation, S4U2S and S4U2P.

Keith Brown’s article on MSDN: Credentials and Delegation
and
nunos’s Blog: Concerning the credentials double hop issue

and the best of all is a webcast by Yung Chou *all kudos to his explanation of Protocol Transition*

MSDN Webcast: Getting Delegation to Work with IIS and ASP.NET:
The Ins and Outs of Protocol Transition (Part 1 of 2) (Level 300)

This webcast specifically helped us troubleshooting and fixing the second part of our problem, our failed connection when the end users connected remotely via terminal servers.

I’ll post more of the problem and the resolution on Part II…

…stay tuned.

No tags

We got really sad news today, the type of news that makes you have sustained stomachache for a few days.
I’m not going to blog about the way my stomach feels but to remind me that I like what I do and this is not just a job, it’s a pleasure.

The Problem:

On one of our web projects that uses Forms authentication.
After the authentication process we create an encrypted ticket,
create the cookie that will be used by the FormsAuthentication
provider and redirect to the requested page:

Dim authTix As New
FormsAuthenticationTicket(1, UserName, DateTime.Now,
DateTime.Now.AddMinutes(60), isCookiePersistent, UserData)

Dim encryptedTix As String =
FormsAuthentication.Encrypt(authTix)

Dim authCookie As New
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)

authCookie.Expires = authTicket.Expiration

Context.Response.Cookies.Add(authCookie)
FormsAuthentication.RedirectFromLoginPage(UserName,
False)

During user log out we clear the session, call the
FormsAuthentication.SignOut() and redirect the user to the login page.

We had, however, an odd behavior. After the user has logged out of the
application, he could, by clicking the back button on the same browser
windows, navigate to the previous pages he opened. These pages were in
the secure area. These pages were not requested to the server, these
requests did not hit the server so I presumed the user was seing cached
pages in the browser.

The Solution:
To use the directive
Context.Response.Cache.SetNoStore()
on all the secure pages that shouldn’t be cached.
For more info on the framework class HttpCacheability go to MSDN

For more info on Cache-Control Headers on HTTP 1.1 go here

The Side Effect Problem:

It seems IE does not store the file in its temporary Internet files folder whenever the server specifies the “no-store” http cache directive ; as a consequence, it cannot feed Acrobat/Excel or whatever external application with the output of your page. if the application has excel or pdf reports on the fly, they will generate an error if the http directive is sent in the response.

http://support.microsoft.com/kb/243717/en-us

The Second Solution:
To remove this cache header whenever you need to send to the client a file to be opened in the browser.

No tags